Re: CVS commit: src/usr.bin/nbsvtool

[Dieter Baron <dillo%KD119105101110.ppp-bb.dion.ne.jp@localhost>]

In article <20080715122453.GE1038%britannica.bec.de@localhost> Joerg wrote:
: On Tue, Jul 15, 2008 at 01:31:19PM +0200, Dieter Baron wrote:
: > > This also goes for all other files - at least giving a hint via a 
filename 
: > > suffix may help a bit.
: > 
: >   Agreed.  Joerg, could you please add the usual suffixes to the names
: > used in arguments, options, and examples?

: Keys and certificates use .pem,

  Also for multiple concatenated certificates?

  Could you please make the relevant changes to the man page?

> for the others no common suffix exist.

  For signatures, we use .sp7, but that is already in the man page.

: > > Way to go until this is foolproof... :-(
: > 
: >   This is not an end user tool, so it doesn't have to be fool proof.
: > I expect the application using this tool (e.g. pkg_install) to provide
: > additional information about the policies in use.

: Well, it should be used to verify binary updates etc. For that more
: specific rules can be set e.g. as part of the release notes.

  I would expect a wrapper script for that.  We should not require the
end user to copy complicated command lines from the release notes,
least of all in an area where mistakes can have serious security
implications.

  For creating signatures of releases I would expect a make or
build.sh target.  For binary patches, it should be part of whatever
tool/script creates them.

  Thus, for recurring tasks, I would not expect nbsvtool to be called
directly by a person.

                                        yours,
                                        dillo